drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Omernik (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DRILL-3880) sqlline does not allow for a password prompt - security issue
Date Thu, 01 Oct 2015 15:54:26 GMT
John Omernik created DRILL-3880:
-----------------------------------

             Summary: sqlline does not allow for a password prompt - security issue
                 Key: DRILL-3880
                 URL: https://issues.apache.org/jira/browse/DRILL-3880
             Project: Apache Drill
          Issue Type: Improvement
          Components: Client - CLI
    Affects Versions: 1.1.0
            Reporter: John Omernik
             Fix For: Future


When authentication is enabled in drill, and using sqlline, there is no way to get the sqlline
client to prompt for a password. The only option is to specify the password at the command
line (-n user -p password) or to log in and then connect.  

This is a security risk, in that now the .bash_history contains the user's password, defeating
accountability on the system.  Hive and MYSQL both allow for a -p flag with no value to trigger
a prompt for the password that is not logged by .bash_history. 

One work around is to connect after starting sqlline, however, if the sqlline command offers
a way to specify the username/password, we should do it in a way that doesn't violate security
principles. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message